Login

r/KeyCloak

How we reduced Keycloak container CVE noise and hardened it for Enterprise production
▲ 32 r/KeyCloak

How we reduced Keycloak container CVE noise and hardened it for Enterprise production

Hey everyone,

Standard Keycloak images are great out of the box for dev, but when moving to enterprise production, compliance teams usually flag the base image vulnerabilities (CVE noise) and standard root execution policies.

We’ve been working on production-ready IAM infrastructure at Keymate, and we had to harden our upstream Keycloak container images to meet strict corporate standards.

Instead of keeping this internal, we mapped out our entire hardening framework. Here are the core adjustments we made:

  1. Base Image Swap: Swapped standard bases for minimalist/distroless alternatives. This alone cut down container scan noise significantly.

  2. Hardening Access: Enforced strict non-root execution to mitigate potential container breakouts.

  3. Attack Surface Reduction: Stripped out unnecessary shells (/bin/sh) to block common post-exploitation RCE tactics.

  4. Security Standards: Aligned the configuration layer with CIS Container Benchmarks and NIST SP 800-190.

We wrote down the detailed technical implementation, architectural decisions, and why this matters for regulatory compliance.

If you are running Keycloak in production, hopefully, this saves your team some time: https://keymate.io/blog/hardened-keycloak-container-image

Cheers

u/isro44 — 2 days ago
▲ 14 r/KeyCloak+1 crossposts

Keycloak v26.6.2 released.

Keycloak v26.6.2 released.

One thing with IAM platforms: even small patch releases can have significant operational impact because authentication systems sit in the critical path for almost everything.

Updates here can affect:

  • authentication flows
  • token handling
  • integrations and identity federation
  • overall security posture

The hard part usually isn’t upgrading itself — it’s understanding whether the release actually matters for your setup.

We tracked the release here in a structured way:
https://www.relnx.io/releases/keycloak-v26-6-2

Curious how others handle this:
Do you deploy IAM patch releases immediately, or validate heavily before rollout?

https://preview.redd.it/w31dcymohb2h1.png?width=1230&format=png&auto=webp&s=2d850345f109ea10ef16e93f2ef99f2eaa4af73c

reddit.com
u/a7medzidan — 2 days ago
▲ 23 r/KeyCloak

Keycloak has added experimental support for AuthZEN Authorization APIs

Hi all. I have recently added support for the AuthZEN Authorization Evaluation and Evaluations APIs to the Keycloak nightly build. The feature is experimental and will be available from Keycloak 26.7.

The new APIs utilise Keycloak's existing authorization capabilities behind the scenes and allow Keycloak to act as a AuthZEN Policy Decision Point.

The following blog post provides some context about what AuthZEN is and why Keycloak has embraced these APIs: https://www.keycloak.org/2026/05/authzen-as-experimental-feature

Documentation is available on the nightly build of the site: https://www.keycloak.org/nightly/securing-apps/authzen-authorization

I have also implemented a playground scenario to help people try it out.

Feedback would be much appreciated, either here or on the AuthZEN GitHub discussion.

reddit.com
u/remerson2 — 2 days ago
▲ 11 r/KeyCloak+1 crossposts

Keycloak in production (On-prem vs IaaS vs PaaS vs SaaS)

Been watching teams agonize over Keycloak deployment models. Weeks of debate, decision matrices, the works. And then the constraint that wasn't in the matrix: the team they have doesn't match the model they're picking.

Here's what nobody puts in the slide. The team requirement barely moves between on-prem, IaaS, marketplace, and PaaS. The real shift only kicks in at SaaS.

What actually changes at each level:

  • On-prem: infra engineers, a DBA, a Keycloak specialist who can debug a failed rolling upgrade at 2 AM, an SRE to glue it together. A dedicated team.
  • IaaS: hardware goes away. Keycloak ops don't. You still need someone who knows what happens to Infinispan sessions during a rolling upgrade.
  • Marketplace: day one is magical. Day thirty looks exactly like raw IaaS. The image won't update itself.
  • PaaS: less infra to manage. Same Keycloak gotchas. v25 changed Infinispan serialization, your custom SPI still needs a tweak after the upgrade.
  • Managed Keycloak / SaaS: team requirement collapses to "someone who understands IAM concepts". Could be a developer.

The right question isn't "what's the best deployment model". It's "what's the best model for the team I have today".

Full breakdown with the team-size implications for each model: https://www.cloud-iam.com/post/keycloak-in-production/

u/Will-from-CloudIAM — 9 days ago
▲ 27 r/KeyCloak

Open source Keycloak theme with React + shadcn/ui — layout, colors, fonts, all configurable from env vars

Hey everyone,

I've been working on an open-source Keycloak login theme built with React, TypeScript, Tailwind CSS v4, and shadcn/ui on top of Keycloakify, and I just shipped what I think is the most useful feature yet — full theme customization through environment variables.

The idea is simple: you shouldn't have to touch any code just to change your logo, colors, fonts, or layout. Everything is controlled through env vars you set directly in Keycloak:

- SHADCN_THEME_LAYOUT → two-column | centered-card | image-aside

- SHADCN_THEME_PRESET → 18 accent color options

- SHADCN_THEME_FONT → inter, geist, manrope, and more

- SHADCN_THEME_BASE → neutral, stone, zinc, taupe...

- SHADCN_THEME_LOGO_WHITE_URL / SHADCN_THEME_LOGO_DARK_URL

It follows the shadcn/ui philosophy — you own the code, nothing is hidden behind a black box, and you only maintain what you've explicitly customized. Everything else updates automatically every time you run npm install. No manual patching, no hunting through diffs.

All 35+ Keycloak login pages are covered, dark mode is built in, RTL is supported, and there's a live Storybook playground you can use to try out every combination before writing a single line:

👉 https://oussemasahbeni.github.io/keycloakify-shadcn-starter/

This is also just the starting point. The bigger goal is a full web-based UI to visually configure login pages in real time + better email template customization — completely free and open source.

GitHub: github.com/Oussemasahbeni/keycloakify-shadcn-starter

Happy to answer any questions or take feedback!

reddit.com
u/Negative-Pound4360 — 9 days ago